Darkness4
commented
11 months ago If I'm not mistaken, a passkey is not an identity provider?
I don't want my example to be out-of-scope and implement my own identity provider. When using passkeys, you need to store a public key per user, right? I would have to implement a database containing user identities associated with their public keys, which is a big no-no... (I would also have to implement a registration page...).
Well, I could associate the public key with an hash (like with MetaMask), and do it "identity-less", but I think that would be an other type of use-case (that would be interesting though). Flow would be similar to Metamask/Ethereum:
- The server sends a challenge (a message to be signed) to the authenticator (Metamask, Passkey, etc.).
- The user signs the challenge with his private key, by interacting with the authenticator. Once the challenge is signed, the user sends his public key and the signed message to the server.
- Using the public key, the server verifies the signed message and uses the hash of the public key as the user's identity (ethereum uses keccak256).
If you want me to write that example with HTMX and WebAuthn with public key as identity, sure, why not. I've already implemented this kind of flow in other projects (without HTMX).
EDIT: Looks like with webauthn, you need to have a user database? Maybe, with simply FIDO? Will see that later... (You can give me some references, if you want)
EDIT 2: Looks like the webauthn "ceremonies" need a user ID in the payload, and the authentication step doesn't resend the public key after registration.
Welp, I won't do that flow then.
gedw99
I agree that doing your own auth and auth is nuts.
the code has 2 OIDC based providers currently , and I am contemplating adding Passkeys.
I changed all third parties services I use over to passkeys.
I tried out some basic golang code and it works great on all mobiles and desktops except Window arm.
there is some golang code I can dig out if your interested.